[Freeipa-users] Web UI Authentication errors - revisited
Dmitri Pal
dpal at redhat.com
Fri Mar 6 01:21:19 UTC 2015
On 03/05/2015 08:09 PM, Dan Mossor wrote:
>
>
> On Thu, Mar 5, 2015 at 6:44 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 03/05/2015 07:36 PM, Dan Mossor wrote:
>> On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor <danofsatx at gmail.com
>> <mailto:danofsatx at gmail.com>> wrote:
>>
>>
>>
>> On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal <dpal at redhat.com
>> <mailto:dpal at redhat.com>> wrote:
>>
>> On 03/05/2015 05:51 PM, Dan Mossor wrote:
>>> As an additional test, I created a new user on my
>>> workstation and switched to it. the first thing I did
>>> was kinit as admin, then started Firefox, went through
>>> the browser configuration provided by the IPA server,
>>> and attempted to log in. I received the same error[1].
>>>
>>> [1]http://i.imgur.com/mhX86Ng.png
>>>
>>>
>> Have you checked times and time zones on the client and
>> on the server?
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> The server is set for GMT time, whereas the client is set for
>> local time, US Central Standard Time. Except for that
>> difference, they are within 1 second of each other.
>>
>> Dan
>>
>> As an experiment after this email exchange, I switched the server
>> to Central Standard Time using timedatctl. I then ran kinit
>> again, and attempted to log into the GUI. There was no change - I
>> still cannot access the GUI. Here is the krb5kdc.log from the period:
>>
>> Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>:
>> NEEDED_PREAUTH: host/dmfedora.rez.lcl at REZ.LCL
>> <mailto:host/dmfedora.rez.lcl at REZ.LCL> for krbtgt/REZ.LCL at REZ.LCL
>> <mailto:krbtgt/REZ.LCL at REZ.LCL>, Additional pre-authentication
>> required
>> Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE:
>> authtime 1425601734, etypes {rep=18 tkt=18 ses=18},
>> host/dmfedora.rez.lcl at REZ.LCL
>> <mailto:host/dmfedora.rez.lcl at REZ.LCL> for krbtgt/REZ.LCL at REZ.LCL
>> <mailto:krbtgt/REZ.LCL at REZ.LCL>
>> Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6
>> etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE:
>> authtime 1425601734, etypes {rep=18 tkt=18 ses=18},
>> host/dmfedora.rez.lcl at REZ.LCL
>> <mailto:host/dmfedora.rez.lcl at REZ.LCL> for
>> ldap/vader.rez.lcl at REZ.LCL <mailto:ldap/vader.rez.lcl at REZ.LCL>
>> Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>:
>> NEEDED_PREAUTH: admin at REZ.LCL <mailto:admin at REZ.LCL> for
>> krbtgt/REZ.LCL at REZ.LCL <mailto:krbtgt/REZ.LCL at REZ.LCL>,
>> Additional pre-authentication required
>> Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE:
>> authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, admin at REZ.LCL
>> <mailto:admin at REZ.LCL> for krbtgt/REZ.LCL at REZ.LCL
>> <mailto:krbtgt/REZ.LCL at REZ.LCL>
>> Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH:
>> repeated (retransmitted?) request from 10.1.1.15, resending
>> previous response
>> Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12
>> Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>:
>> NEEDED_PREAUTH: HTTP/vader.rez.lcl at REZ.LCL
>> <mailto:HTTP/vader.rez.lcl at REZ.LCL> for krbtgt/REZ.LCL at REZ.LCL
>> <mailto:krbtgt/REZ.LCL at REZ.LCL>, Additional pre-authentication
>> required
>> Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: ISSUE:
>> authtime 1425601784, etypes {rep=18 tkt=18 ses=18},
>> HTTP/vader.rez.lcl at REZ.LCL <mailto:HTTP/vader.rez.lcl at REZ.LCL>
>> for krbtgt/REZ.LCL at REZ.LCL <mailto:krbtgt/REZ.LCL at REZ.LCL>
>> Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>:
>> NEEDED_PREAUTH: admin at REZ.LCL <mailto:admin at REZ.LCL> for
>> krbtgt/REZ.LCL at REZ.LCL <mailto:krbtgt/REZ.LCL at REZ.LCL>,
>> Additional pre-authentication required
>> Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
>> etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: ISSUE:
>> authtime 1425601784, etypes {rep=18 tkt=18 ses=18}, admin at REZ.LCL
>> <mailto:admin at REZ.LCL> for krbtgt/REZ.LCL at REZ.LCL
>> <mailto:krbtgt/REZ.LCL at REZ.LCL>
>> Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6
>> etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE:
>> authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, admin at REZ.LCL
>> <mailto:admin at REZ.LCL> for HTTP/vader.rez.lcl at REZ.LCL
>> <mailto:HTTP/vader.rez.lcl at REZ.LCL>
>>
>>
>> One thing I did determine is the authtime in the krb5kdc log is
>> epoch time. I checked it, and it translates directly to the
>> standard time.
>>
>> Dan
>
> Hm. OK.
>
> I do not think there was ever mentioned which version of the
> server and client you are running but based on the UI it seems
> like the latest.
> Also you are trying to log in after using kinit. Can you log using
> forms based authentication or it does not work too?
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
> I can't seem to locate the form based authentication for 4.1.2-1 - I
> was going to try that in order to add the information to this thread,
> but I can find no reference as to where it is and I can't find it
> manually on the file system. Can you give me the default URL for it?
>
> freeipa-server-4.1.2-1.fc21.x86_64
> freeipa-client-4.1.2-1.fc21.x86_64
>
> Dan
http://i.imgur.com/mhX86Ng.png
It should show up if you do not have a ticket. Destroy the ticket on the
client and try to access the server via browser, you should be redirected.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150305/9739631a/attachment.htm>
More information about the Freeipa-users
mailing list